From 59f1f8251ec9b9740c81acf496ab67905ab8a757 Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Mon, 1 Dec 2025 18:45:01 +0100
Subject: [PATCH] Set a CSP header on all attachments

---
 django/archives/mailarchives/views.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/django/archives/mailarchives/views.py b/django/archives/mailarchives/views.py
index c1118ac..fe74f7c 100644
--- a/django/archives/mailarchives/views.py
+++ b/django/archives/mailarchives/views.py
@@ -395,6 +395,7 @@ def attachment(request, attid):
 
     return HttpResponse(bytes(r[0][3]), content_type=r[0][1], headers={
         'X-attached-to-message': r[0][2],
+        'Content-Security-Policy': "default-src 'none'",
     })
 
 
-- 
2.39.5